Saturday, July 29, 2006

Garden Certificate Basics

I received an email last week that someone had visited Security Garden and was presented with the following message when visiting with Firefox:

"Unable to verify the identity of mvp.support.Microsoft.com as a trusted site"

As it was relayed to me, the certificate warning then provided the individual the choice of accepting the site or not.

This warning justifiably raised questions in the person's mind. What is a certificate? Is it some type of award? Does the message mean the Microsoft MVP link isn't safe? Does it mean that this site isn't safe? I assure you that the information I provide here in the Security Garden is safe, as is the MVP site. I would not intentionally post links to inappropriate or unsafe sites.

It is time to talk about digital certificates. For a technical explanation of digital certificates, see this Microsoft Technet article by Roger Grimes, entitled "Authenticode". For a hands-on, what are they, what to do, explanation, read on.


According to the definition from WhatIs.com,
A digital certificate is an electronic "credit card" that establishes your credentials when doing business or other transactions on the Web. It is issued by a certification authority (CA). It contains your name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. Some digital certificates conform to a standard, X.509. Digital certificates can be kept in registries so that authenticating users can look up other users' public keys.
Simply stated, a public key certificate uses a digital signature to connect the public key with an identify. In the case the reader of this site encountered, it was information presented to verify that the key belongs to Microsoft. It is the digital equivalent of an ID card, providing the name of an individual or other entity certifying that the public key, which is included in the certificate, belongs to that individual or entity.

With all that information, what do you do when presented with a certificate? Here's an example of a site with a faked certificate, discussed at Security and Secure IT:

As soon as the site in question was placed in the address bar, the Domain Name Mismatch error popped up indicating that the site was presenting a security certificate belonging to www.microsoft.com. Since I had no doubt that the certificate did not belong to that site, I clicked Cancel. From Subratam's report, I already know that the site in question has been reported as attempting to clone a Microsoft site.

If you elect not to be bothered with those details and want to let Firefox select a certificate for you, click on Tools > Options > Advanced. Under Certificates, select the option to have Firefox select a certificate automatically.

No comments: